oss-sec mailing list archives
RE: CVE Request - Samsung Exynos GPU driver OOB read
From: "idl3r" <idler1984 () gmail com>
Date: Fri, 20 Jan 2017 00:19:34 +0800
Unfortunately, there is no official git for tracking from Samsung, so I can't give a pointer to the particular commit. The bug itself resides in <root>/drivers/gpu/arm/t7xx/r5p0/mali_kbase_core_linux.c of the src tree, in function kbase_dispatch which is the main ioctl dispatcher of the driver: static mali_error kbase_dispatch(struct kbase_context *kctx, void * const args, u32 args_size) { ... /* setup complete, perform normal operation */ switch (id) { ... case KBASE_FUNC_TMU_SKIP: { /* MALI_SEC_INTEGRATION */ #ifdef CONFIG_SENSORS_SEC_THERMISTOR #ifdef CONFIG_USE_VSYNC_SKIP struct kbase_uk_tmu_skip *tskip = args; int thermistor = sec_therm_get_ap_temperature(); u32 i, t_index = tskip->num_ratiometer; for (i = 0; i < tskip->num_ratiometer; i++) <== missing of boundary check if (thermistor >= tskip->temperature[i]) t_index = i; tskip->temperature is a uint32 array of static size(10 elements) and tskip->num_ratiometer a uint32 which is user controlled. Since the boundary check is missing, OOB read may happen leading to possible memory corruption. -----Original Message----- From: Greg KH [mailto:greg () kroah com] Sent: Thursday, January 19, 2017 10:37 PM To: oss-security () lists openwall com Cc: Anarcheuz Fritz <anarcheuz () gmail com>; cve-assign () mitre org Subject: Re: [oss-security] CVE Request - Samsung Exynos GPU driver OOB read On Thu, Jan 19, 2017 at 02:38:31PM +0800, Idler wrote:
Hello, I'd like to request CVE for the following security issue: Security bulletin: http://security.samsungmobile.com/smrupdate.html#SMR-JAN-2017 SVE-2016-6362: out of bound read in gpu driver Severity: Low Affected versions: M(6.0), N(7.0) devices with Exynos AP chipsets Reported on: May 31, 2016 Disclosure status: Privately disclosed. Vulnerability in gpu driver does not properly check the boundary of buffers leading to a possible memory corruption. The applied patch avoids an illegal access to memory by checking the
boundary.
Source code: Source code of the affected GPU drivers (as part of the Linux kernel source) can be downloaded from Samsung Opensource Resource center: http://opensource.samsung.com/ The particular model of phone we used to reproduce this issue is: http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub =F&searchValue=SM-G9200
Any pointer to the commit(s) that happened to resolve this issue? thanks, greg k-h
Current thread:
- CVE Request - Samsung Exynos GPU driver OOB read Idler (Jan 19)
- Re: CVE Request - Samsung Exynos GPU driver OOB read Greg KH (Jan 19)
- RE: CVE Request - Samsung Exynos GPU driver OOB read idl3r (Jan 19)
- Re: CVE Request - Samsung Exynos GPU driver OOB read Greg KH (Jan 20)
- RE: CVE Request - Samsung Exynos GPU driver OOB read idl3r (Jan 20)
- RE: CVE Request - Samsung Exynos GPU driver OOB read idl3r (Jan 19)
- Re: CVE Request - Samsung Exynos GPU driver OOB read Greg KH (Jan 19)
- Re: CVE Request - Samsung Exynos GPU driver OOB read cve-assign (Jan 19)